Access restriction on application classes

Hi, We are developing a EJB-based business application which publishes an API for the Client application. These APIs are actually the methods of the EJBRemote objects. The processing flow for any API call from the Client application is as follows: Client application -> Session Bean -> Business Object (which does Validation) -> Business Object (which interacts with the Data access layer) -> Data access layer. Now, is it possible to restrict the Client application from directly calling the Business Object (which interacts with the Data access layer) without calling the Session Bean layer (thus breaking our application). In other words, can we force the Client application to call only our Session Beans? Since we are hosting our application on an application server (Weblogic, Websphere etc), the Client may use this application server for hosting other applications as well; hence we have limited control on the application server behaviour. Any idea is welcome.

It seems to me like not allowing the JAR files that contain the business objects to be installed on the client machines would work fine. Another option would be to (perhaps) include a check in the top-level business object for something that can only be provided by the Session EJB (perhaps the EJB context). Kyle ------------------ Kyle Brown, Author of Enterprise Java (tm) Programming with IBM Websphere See my homepage at http://members.aol.com/kgb1001001 for other WebSphere information. [This message has been edited by Kyle Brown (edited October 25, 2001).]